Overview - Yara rules

Details Type #Events CTI Value
Details Yara rule 1
rule MTI_HUNTING_Crypto_GRIMPLANT_GRAPHSTEEL {
	meta:
		author = "Mandiant Threat Intelligence"
		descr = "Find the crypto key for GRIMPLANT/GRAPHSTEEL C2 decryption"
		disclaimer = "This rule is meant for hunting and is not tested to run in a production environment."
	strings:
		$ = { F1 D2 19 60 D8 EB 2F DD F2 53 8D 29 A5 FD 50 B5 }
		$ = { F6 4A 3F 9B F0 6F 2A 3C 4C 95 04 38 C9 A7 F7 8E }
		$ = " ciphertext is not large enough. It is less that one block size. Blocksize:%v; Ciphertext:%v"
	condition:
		all of them
}
Details Yara rule 1
rule MTI_Hunting_AsRockDriver_Exploit_PDB {
	meta:
		author = "Mandiant"
		date = "03-23-2022"
		description = "Searching for executables containing strings associated with AsRock driver Exploit."
	strings:
		$dos_stub = "This program cannot be run in DOS mode"
		$pdb_bad = "dev projects\\SignSploit1\\x64\\Release\\AsrDrv_exploit.pdb"
		$pdb_good = "c:\\asrock\\work\\asrocksdk_v0.0.69\\asrrw\\src\\driver\\src\\objfre_win7_amd64\\amd64\\AsrDrv103.pdb"
	condition:
		all of them and (@pdb_bad < @dos_stub[2]) and (#dos_stub == 2) and (@pdb_good > @dos_stub[2])
}
Details Yara rule 1
rule MTI_Hunting_AsRockDriver_Exploit_Generic {
	meta:
		author = "Mandiant"
		date = "03-23-2022"
		description = "Searching for executables containing strings associated with AsRock driver Exploit."
	strings:
		$dos_stub = "This program cannot be run in DOS mode"
		$pdb_good = "c:\\asrock\\work\\asrocksdk_v0.0.69\\asrrw\\src\\driver\\src\\objfre_win7_amd64\\amd64\\AsrDrv103.pdb"
	condition:
		all of them and (#dos_stub == 2) and (@pdb_good > @dos_stub[2])
}
Details Yara rule 1
rule MTI_Hunt_APT_Modified_MICROBACKDOOR_Strings {
	meta:
		description = "Detects strings found in modified MICROBACKDOOR samples with screenshot capability"
		disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
	strings:
		$a = "ERROR: Unknown command"
		$b = "ProxyServer"
		$c = "screenshot"
		$d = "uninst"
		$e = "shell"
		$f = "client.dll"
		$g = "Timeout occured"
	condition:
		all of them
}
Details Yara rule 1
rule Windows_Trojan_SpectralViper_1 {
	meta:
		author = "Elastic Security"
		creation_date = "2023-04-13"
		last_modified = "2023-05-26"
		os = "Windows"
		arch = "x86"
		category_type = "Trojan"
		family = "SpectralViper"
		threat_name = "Windows.Trojan.SpectralViper"
		reference_sample = "7e35ba39c2c77775b0394712f89679308d1a4577b6e5d0387835ac6c06e556cb"
		license = "Elastic License v2"
	strings:
		$a1 = { 13 00 8D 58 FF 0F AF D8 F6 C3 01 0F 94 44 24 26 83 FD 0A 0F 9C 44 24 27 4D 89 CE 4C 89 C7 48 89 D3 48 89 CE B8 }
		$a2 = { 15 00 8D 58 FF 0F AF D8 F6 C3 01 0F 94 44 24 2E 83 FD 0A 0F 9C 44 24 2F 4D 89 CE 4C 89 C7 48 89 D3 48 89 CE B8 }
		$a3 = { 00 8D 68 FF 0F AF E8 40 F6 C5 01 0F 94 44 24 2E 83 FA 0A 0F 9C 44 24 2F 4C 89 CE 4C 89 C7 48 89 CB B8 }
		$a4 = { 00 48 89 C6 0F 29 30 0F 29 70 10 0F 29 70 20 0F 29 70 30 0F 29 70 40 0F 29 70 50 48 C7 40 60 00 00 00 00 48 89 C1 E8 }
		$a5 = { 41 0F 45 C0 45 84 C9 41 0F 45 C0 EB BA 48 89 4C 24 08 89 D0 EB B1 48 8B 44 24 08 48 83 C4 10 C3 56 57 53 48 83 EC 30 8B 05 }
		$a6 = { 00 8D 70 FF 0F AF F0 40 F6 C6 01 0F 94 44 24 25 83 FF 0A 0F 9C 44 24 26 89 D3 48 89 CF 48 }
		$a7 = { 48 89 CE 48 89 11 4C 89 41 08 41 0F 10 01 41 0F 10 49 10 41 0F 10 51 20 0F 11 41 10 0F 11 49 20 0F 11 51 30 }
		$a8 = { 00 8D 58 FF 0F AF D8 F6 C3 01 0F 94 44 24 22 83 FD 0A 0F 9C 44 24 23 48 89 D6 48 89 CF 4C 8D }
	condition:
		5 of them
}
Details Yara rule 1
rule M_Hunting_Exploit_Archive_2 {
	meta:
		author = "Mandiant"
		description = "Hunting rule looking for TAR archives with /tmp/ base64 encoded being part of filename of enclosed files"
		md5 = "0d67f50a0bf7a3a017784146ac41ada0"
	strings:
		$ustar = { 75 73 74 61 72 }
		$b64_tmp = "/tmp/" base64
	condition:
		filesize < 1MB and $ustar at 257 and for any i in (0 .. #ustar) : ( $b64_tmp in (i * 512 .. i * 512 + 250) )
}
Details Yara rule 1
rule Windows_Trojan_SpectralViper_2 {
	meta:
		author = "Elastic Security"
		creation_date = "2023-05-10"
		last_modified = "2023-05-10"
		os = "Windows"
		arch = "x86"
		category_type = "Trojan"
		family = "SpectralViper"
		threat_name = "Windows.Trojan.SpectralViper"
		reference_sample = "d1c32176b46ce171dbce46493eb3c5312db134b0a3cfa266071555c704e6cff8"
		license = "Elastic License v2"
	strings:
		$a1 = { 18 48 89 4F D8 0F 10 40 20 0F 11 47 E0 0F 10 40 30 0F 11 47 F0 48 8D }
		$a2 = { 24 27 48 83 C4 28 5B 5D 5F 5E C3 56 57 53 48 83 EC 20 48 89 CE 48 }
		$a3 = { C7 84 C9 0F 45 C7 EB 86 48 8B 44 24 28 48 83 C4 30 5B 5F 5E C3 48 83 }
		$s1 = { 40 53 48 83 EC 20 48 8B 01 48 8B D9 48 8B 51 10 48 8B 49 08 FF D0 48 89 43 18 B8 04 00 00 }
		$s2 = { 40 53 48 83 EC 20 48 8B 01 48 8B D9 48 8B 49 08 FF D0 48 89 43 10 B8 04 00 00 00 48 83 C4 20 5B }
		$s3 = { 48 83 EC 28 4C 8B 41 18 4C 8B C9 48 B8 AB AA AA AA AA AA AA AA 48 F7 61 10 48 8B 49 08 48 C1 EA }
	condition:
		2 of ($a*) or any of ($s*)
}
Details Yara rule 1
rule Windows_Trojan_PowerSeal_1 {
	meta:
		author = "Elastic Security"
		creation_date = "2023-03-16"
		last_modified = "2023-05-26"
		os = "Windows"
		arch = "x86"
		category_type = "Trojan"
		family = "PowerSeal"
		threat_name = "Windows.Trojan.PowerSeal"
		license = "Elastic License v2"
	strings:
		$a1 = "PowerSeal.dll" wide fullword
		$a2 = "InvokePs" ascii fullword
		$a3 = "amsiInitFailed" wide fullword
		$a4 = "is64BitOperatingSystem" ascii fullword
	condition:
		all of them
}
Details Yara rule 1
rule Windows_Trojan_PowerSeal_2 {
	meta:
		author = "Elastic Security"
		creation_date = "2023-05-10"
		last_modified = "2023-05-10"
		os = "Windows"
		arch = "x86"
		category_type = "Trojan"
		family = "PowerSeal"
		threat_name = "Windows.Trojan.PowerSeal"
		license = "Elastic License v2"
	strings:
		$a1 = "[+] Loading PowerSeal"
		$a2 = "[!] Failed to exec PowerSeal"
		$a3 = "AppDomain: unable to get the name!"
	condition:
		2 of them
}
Details Yara rule 1
rule Windows_Trojan_P8Loader {
	meta:
		author = "Elastic Security"
		creation_date = "2023-04-13"
		last_modified = "2023-05-26"
		os = "Windows"
		arch = "x86"
		category_type = "Trojan"
		family = "P8Loader"
		threat_name = "Windows.Trojan.P8Loader"
		license = "Elastic License v2"
	strings:
		$a1 = "\t[+] Create pipe direct std success\n" fullword
		$a2 = "\tPEAddress: %p\n" fullword
		$a3 = "\tPESize: %ld\n" fullword
		$a4 = "DynamicLoad(%s, %s) %d\n" fullword
		$a5 = "LoadLibraryA(%s) FAILED in %s function, line %d" fullword
		$a6 = "\t[+] No PE loaded on memory\n" wide fullword
		$a7 = "\t[+] PE argument: %ws\n" wide fullword
		$a8 = "LoadLibraryA(%s) FAILED in %s function, line %d" fullword
	condition:
		5 of them
}
Details Yara rule 1
import "pe"

rule HUNTING_Win_PRIVATELOG_1_strict {
	meta:
		author = "adrien.bataille@mandiant.com"
		description = "Detects PRIVATELOG and STASHLOG variants based on strings and imports"
		md5 = "91b08896fbda9edb8b6f93a6bc811ec6"
	strings:
		$hvid = "Global\\HVID_"
		$apci = "Global\\APCI#" wide
	condition:
		uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (all of them and (pe.imports("clfsw32.dll", "CreateLogMarshallingArea") and pe.imports("kernel32.dll", "VirtualProtect") and pe.imports("ktmw32.dll", "CreateTransaction") and pe.imports("kernel32.dll", "CreateFileTransactedA")))
}
Details Yara rule 1
import "pe"

rule HUNTING_Win_hijack_prntvpt {
	meta:
		author = "adrien.bataille@mandiant.com"
		description = "Detects possible hijack of legitimate prntvpt.dll based on missing export"
		md5 = "91b08896fbda9edb8b6f93a6bc811ec6"
	condition:
		uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and pe.exports("PTOpenProviderEx") and not pe.exports("MergeAndValidatePrintTicketThunk")
}
Details Yara rule 1
import "pe"

rule HUNTING_Win_PRIVATELOG_2_notstrict {
	meta:
		author = "adrien.bataille@mandiant.com"
		description = "Detects possible PRIVATELOG and STASHLOG variants based on strings or imports. This rule is purposefully loose so there may be a higher FP rate."
		md5 = "91b08896fbda9edb8b6f93a6bc811ec6"
	strings:
		$hvid = "Global\\HVID_"
		$apci = "Global\\APCI#" wide
	condition:
		uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (any of them or (pe.imports("clfsw32.dll", "CreateLogMarshallingArea") and pe.imports("kernel32.dll", "VirtualProtect") and pe.imports("ktmw32.dll", "CreateTransaction") and pe.imports("kernel32.dll", "CreateFileTransactedA")))
}
Details Yara rule 1
rule Hunting_Outlook_Homepage_Shell_and_Persistence {
	meta:
		author = "Nick Carr (@itsreallynick)"
		reference_hash = "506fe019d48ff23fac8ae3b6dd754f6e"
	strings:
		$script_1 = "<htm" ascii wide nocase
		$script_2 = "<script" ascii wide nocase
		$viewctl1_a = "ViewCtl1" ascii wide nocase
		$viewctl1_b = "0006F063-0000-0000-C000-000000000046" ascii wide
		$viewctl1_c = ".OutlookApplication" ascii wide nocase
	condition:
		uint16(0) != 0x5A4D and all of ($script*) and any of ($viewctl1*)
}
Details Yara rule 1
rule M_Hunting_Exploit_Archive_3 {
	meta:
		author = "Mandiant"
		description = "Hunting rule looking for TAR archive with openssl base64 encoded being part of filename of enclosed files"
		md5 = "0d67f50a0bf7a3a017784146ac41ada0"
	strings:
		$ustar = { 75 73 74 61 72 }
		$b64_openssl = "openssl" base64
	condition:
		filesize < 1MB and $ustar at 257 and for any i in (0 .. #ustar) : ( $b64_openssl in (i * 512 .. i * 512 + 250) )
}
Details Yara rule 1
rule M_Hunting_Exploit_Archive_CVE_2023_2868 {
	meta:
		author = "Mandiant"
		description = "Hunting rule looking for TAR archive with single quote/backtick as start of filename of enclosed files. CVE-2023-2868"
		md5 = "0d67f50a0bf7a3a017784146ac41ada0"
	strings:
		$ustar = { 75 73 74 61 72 }
		$qb = "'`"
	condition:
		filesize < 1MB and $ustar at 257 and for any i in (0 .. #ustar) : ( $qb at (@ustar[i] + 255) )
}
Details Yara rule 1
rule M_Hunting_Linux_SALTWATER_1 {
	meta:
		author = "Mandiant"
		description = "Hunting rule looking for strings observed in SALTWATER samples."
		md5 = "827d507aa3bde0ef903ca5dec60cdec8"
	strings:
		$s1 = { 71 75 69 74 0D 0A 00 00 00 33 8C 25 3D 9C 17 70 08 F9 0C 1A 41 71 55 36 1A 5C 4B 8D 29 7E 0D 78 }
		$s2 = { 00 8B D5 AD 93 B7 54 D5 00 33 8C 25 3D 9C 17 70 08 F9 0C 1A 41 71 55 36 1A 5C 4B 8D 29 7E 0D 78 }
		$s3 = { 71 75 69 74 0D 0A 00 00 00 12 8D 03 07 9C 17 92 08 F0 0C 9A 01 06 08 00 1A 0C 0B 8D 18 0A 0D 0A }
	condition:
		uint32(0) == 0x464c457f and any of them
}
Details Yara rule 1
rule M_Hunting_Linux_SALTWATER_2 {
	meta:
		author = "Mandiant"
		description = "Hunting rule looking for strings observed in SALTWATER samples."
		md5 = "827d507aa3bde0ef903ca5dec60cdec8"
	strings:
		$c1 = "TunnelArgs"
		$c2 = "DownloadChannel"
		$c3 = "UploadChannel"
		$c4 = "ProxyChannel"
		$c5 = "ShellChannel"
		$c6 = "MyWriteAll"
		$c7 = "MyReadAll"
		$c8 = "Connected2Vps"
		$c9 = "CheckRemoteIp"
		$c10 = "GetFileSize"
		$s1 = "[-] error: popen failed"
		$s2 = "/home/product/code/config/ssl_engine_cert.pem"
		$s3 = "libbindshell.so"
	condition:
		uint32(0) == 0x464c457f and (any of ($s*) or 4 of ($c*))
}
Details Yara rule 1
rule FE_Hunting_Linux_Funchook_FEBeta {
	meta:
		author = "Mandiant"
		description = "Hunting rule looking for strings observed in Funchook library - https://github.com/kubo/funchook"
		md5 = "827d507aa3bde0ef903ca5dec60cdec8"
	strings:
		$f = "funchook_"
		$s1 = "Enter funchook_create()"
		$s2 = "Leave funchook_create() => %p"
		$s3 = "Enter funchook_prepare(%p, %p, %p)"
		$s4 = "Leave funchook_prepare(..., [%p->%p],...) => %d"
		$s5 = "Enter funchook_install(%p, 0x%x)"
		$s6 = "Leave funchook_install() => %d"
		$s7 = "Enter funchook_uninstall(%p, 0x%x)"
		$s8 = "Leave funchook_uninstall() => %d"
		$s9 = "Enter funchook_destroy(%p)"
		$s10 = "Leave funchook_destroy() => %d"
		$s11 = "Could not modify already-installed funchook handle."
		$s12 = "  change %s address from %p to %p"
		$s13 = "  link_map addr=%p, name=%s"
		$s14 = "  ELF type is neither ET_EXEC nor ET_DYN."
		$s15 = "  not a valid ELF module %s."
		$s16 = "Failed to protect memory %p (size=%"
		$s17 = "  protect memory %p (size=%"
		$s18 = "Failed to unprotect memory %p (size=%"
		$s19 = "  unprotect memory %p (size=%"
		$s20 = "Failed to unprotect page %p (size=%"
		$s21 = "  unprotect page %p (size=%"
		$s22 = "Failed to protect page %p (size=%"
		$s23 = "  protect page %p (size=%"
		$s24 = "Failed to deallocate page %p (size=%"
		$s25 = " deallocate page %p (size=%"
		$s26 = "  allocate page %p (size=%"
		$s27 = "  try to allocate %p but %p (size=%"
		$s28 = "  allocate page %p (size=%"
		$s29 = "Could not find a free region near %p"
		$s30 = "  -- Use address %p or %p for function %p"
	condition:
		uint32(0) == 0x464c457f and (#f > 5 or 4 of ($s*))
}
Details Yara rule 1
rule M_Hunting_Linux_SEASPY_1 {
	meta:
		author = "Mandiant"
		description = "Hunting rule looking for strings observed in SEASPY samples."
		md5 = "4ca4f582418b2cc0626700511a6315c0"
	strings:
		$s1 = "usage: ./BarracudaMailService <Network-Interface>. e.g.: ./BarracudaMailService eth0"
		$s2 = "NO port code"
		$s3 = "pcap_lookupnet: %s"
		$s4 = "Child process id:%d"
		$s5 = "[*]Success!"
		$s6 = "enter open tty shell..."
	condition:
		uint32(0) == 0x464c457f and all of ($s*)
}
Details Yara rule 1
rule M_Hunting_Lua_SEASIDE_1 {
	meta:
		author = "Mandiant"
		description = "Hunting rule looking for strings observed in SEASIDE samples."
		md5 = "cd2813f0260d63ad5adf0446253c2172"
	strings:
		$s1 = "function on_helo()"
		$s2 = "local bindex,eindex = string.find(helo,'.onion')"
		$s3 = "helosend = 'pd'..' '..helosend"
		$s4 = "os.execute(helosend)"
	condition:
		(filesize < 1MB) and all of ($s*)
}
Details Yara rule 1
rule M_Hunting_SKIPJACK_1 {
	meta:
		author = "Mandiant"
		description = "Hunting rule looking for strings observed in SKIPJACK installation script."
		md5 = "e4e86c273a2b67a605f5d4686783e0cc"
	strings:
		$str1 = "hdr:name() == 'Content-ID'" base64
		$str2 = "hdr:body() ~= nil" base64
		$str3 = "string.match(hdr:body(),\"^[%w%+/=\\r\\n]+$\")" base64
		$str4 = "openssl aes-256-cbc" base64
		$str5 = "mod_content.lua"
		$str6 = "#!/bin/sh"
	condition:
		all of them
}
Details Yara rule 1
rule M_Hunting_Lua_SKIPJACK_2 {
	meta:
		author = "Mandiant"
		description = "Hunting rule looking for strings observed in SKIPJACK samples."
		md5 = "87847445f9524671022d70f2a812728f"
	strings:
		$str1 = "hdr:name() == 'Content-ID'"
		$str2 = "hdr:body() ~= nil"
		$str3 = "string.match(hdr:body(),\"^[%w%+/=\\r\\n]+$\")"
		$str4 = "openssl aes-256-cbc"
		$str5 = "| base64 -d| sh 2>"
	condition:
		all of them
}
Details Yara rule 1
rule M_Hunting_Lua_SEASPRAY_1 {
	meta:
		author = "Mandiant"
		description = "Hunting rule looking for strings observed in SEASPRAY samples."
		md5 = "35cf6faf442d325961935f660e2ab5a0"
	strings:
		$str1 = "string.find(attachment:filename(),'obt075') ~= nil"
		$str2 = "os.execute('cp '..tostring(tmpfile)..' /tmp/'..attachment:filename())"
		$str3 = "os.execute('rverify'..' /tmp/'..attachment:filename())"
	condition:
		all of them
}
Details Yara rule 1
rule M_Hunting_Linux_WHIRLPOOL_1 {
	meta:
		author = "Mandiant"
		description = "Hunting rule looking for strings observed in WHIRLPOOL samples."
		md5 = "177add288b289d43236d2dba33e65956"
	strings:
		$s1 = "error -1 exit" fullword
		$s2 = "create socket error: %s(error: %d)\n" fullword
		$s3 = "connect error: %s(error: %d)\n" fullword
		$s4 = { C7 00 20 32 3E 26 66 C7 40 04 31 00 }
		$c1 = "plain_connect" fullword
		$c2 = "ssl_connect" fullword
		$c3 = "SSLShell.c" fullword
	condition:
		filesize < 15MB and uint32(0) == 0x464c457f and (all of ($s*) or all of ($c*))
}